The U.S. has struck a rare blow against an international ransomware gang, charging one alleged member of a hacker ring that has shut down health care facilities, colleges and utilities companies.
The Justice Department also helped seize computers related to a custom ransomware known as NetWalker, it announced Wednesday. Ransomware is a type of malicious software that is used to infect computer systems, which are then held for ransom, usually in payments of cryptocurrencies.
For several years, the hackers that operated NetWalker broke into victims’ networks and encrypted their files, demanding payment in bitcoin and sometimes posting their private files on their blog if they didn’t quickly pay up.
In recent months Netwalker was used to extort victims from Lorien Health Systems, a Maryland assisted-living facility for seniors; Crozer-Keystone Health System, a chain of four hospitals in Pennsylvania, Delaware, and New Jersey; and the University of California, San Francisco.
Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future, said NetWalker’s frequent attacks made it one of the bigger ransomware gangs operating in recent history, but not the worst.
“Simply in terms of number of victims posted to extortion sites, they were fourth,” he said in a text message.
The charges also indicate how much of an uphill battle the U.S. faces in combating ransomware hackers, who have steadily attacked Americans, companies and institutions in recent years. Hackers can work together from all around the world and often take pains to hide their tracks. Cryptocurrencies can be difficult to track when laundered through third-party companies. And some countries that house ransomware operators, like Russia, don’t extradite their citizens.
The Department of Justice only announced charges against one person, Sebastien Vachon-Desjardins, a Canadian national, currently held by Canadian authorities, though it said he was part of conspiracies to commit both computer and wire fraud. The announcement said it also only seized less than half a million dollars in cryptocurrency from Vachon-Desjardins, while also noting that he is alleged to have stolen more than $27.6 million.
In a joint effort, Bulgarian law enforcement seized computers affiliated with NetWalker. A dark web blog that previously posted the files of Netwalker victims who refused to pay the ransom now displays a graphic that says it was seized by government agencies.
While the seizure is unlikely to immediately stop everyone involved with that ransomware gang, it’s possible that it can be used to find a way to restore the computers of Netwalker victims, said Brett Callow, a threat analyst at the cybersecurity company Emsisoft.
“The seizing of the site is definitely a win for the good guys — and even more of a win if the FBI were able to obtain the decryption keys,” he said in a text message.